Mod-X Central Command Levels 2 and 3 [solutions]

Level 2

Good Work on your previous mission – you are ready for your next mission. We now have access to the terminals. We think the intruder is telling the truth – other changes have been made to the system.

A file has been found on the system that is not our own. All we can think of is that this is some kind of installation file the hacker used to speed up his job while he was in our system. We have examined the file, but there appears to be a form of encryption used. I know this is your speciality, so we have assigned you the task of breaking the encryption. Once broken, if you find the location of any other files put on the system include the full location (in standard Windows format) in your mission conclusion.

Good luck apok.

They give us a link to donwload a zip file which contains a strange .enc file:

1

2

3

4

5

$cat the_FILE.enc

7*,*).9

@-0*>D14(&1D2&(-.3*A84+9<&7*A2NHWTXTKYA<NSIT\XA(ZWWJSY;JWXNTSA7ZSB

(TSYWTQ"(AA<NSIT\XAA)JGZLAA(TSYWTQJ]J

The first thing that passes through my mind is trying a Caesars decipher, I have used a brute force method for it, I have taken the python script from here and made a few modifications, this:

I am using the whole printable characters because I do not know what characters the cyphered message has. Launching the script give us some non sense strings, except one:

1

2

3

4

Key#31: REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Mˆ‚‘Ž’Ž…“\WˆƒŽ–’\C”‘‘„“V„‘’ˆŽ\R”]

"S˜’“‘€˜"a"C:\\WINDOWS\\’˜’“„Œ32\

But there is something missing, although it is almost correct there are some not understandable characters, I’m gonna guess the path should be something like:

1

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\

After some trial error I got the right combination:

Python

1

2

3

4

5

6

7

8

9

f=open('file_MOD.enc',"rb")

a=f.read()

f.close()

fordina:

if32<ord(d)<127:

printchr(ord(d)-31),

else:

if32<ord(d)-63<127:

printchr(ord(d)-63),

So, the password is:

1

C:\WINDOWS\SYSTEM32\DRIVERS\SYSTRAY.EXE

Level 3

Agent apok…

Good work, we have a follow up mission relating to the recent hack – but you are scheduled to take a training mission, and pass it, before we can offer you the next mission.

We want to ensure that the mission goes to you again, after your good work on the last mission – however, we can’t wait around when something this serious has happened…so please try and get through your training asap.

This mission should be a breeze for you, its purely an observation test – to ensure you’re awake. I am not entirely sure why we have to make you do it, but the heads of the company are sticking firmly to agent policies – and they won’t let us proceed without you having taken the relevant training. Keep your eyes open, and check everything – the clues are there.

Good luck apok.

This time we are taken to a web page with an applet in it, if we check the source code we find out the applet path:

showStatus("An error occured, please report this to the Mod-X admins");

}

}

publicTraining()

{

mylabel=newLabel("Code: ");

answer=newLabel("",1);

code=newTextField(10);

mybutton=newButton("Proceed...");

}

}

The code is self-explanatory. The first thing we can notice is the applet is comparing the text entered by the user against a header field named Training-code, if strings are equal then the Training-code will be encoded into base 64 and concatenate the .php string, this will be a new web page where we should go, I got my training code by using burp suite as a proxy:

Entering the code in the applet give us the web page where we should go, there in the web page we get a new message:

You have completed the training exercise, well done agent.
Go to the mission conclusion and enter the solution as: nnc8V309kHS7n